sourcegraph
diff --git a/‎benchmarks/ccb_security/sec-transitive-002/environment/Dockerfile‎
Lines changed: 51 additions & 0 deletions b/‎benchmarks/ccb_security/sec-transitive-002/environment/Dockerfile‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎benchmarks/ccb_security/sec-transitive-002/instruction.md‎
Lines changed: 135 additions & 0 deletions b/‎benchmarks/ccb_security/sec-transitive-002/instruction.md‎
Lines changed: 135 additions & 0 deletions
diff --git a/‎benchmarks/ccb_security/sec-transitive-002/task.toml‎
Lines changed: 19 additions & 0 deletions b/‎benchmarks/ccb_security/sec-transitive-002/task.toml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎benchmarks/ccb_security/sec-transitive-002/tests/expected_patches/README.md‎
Lines changed: 13 additions & 0 deletions b/‎benchmarks/ccb_security/sec-transitive-002/tests/expected_patches/README.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎benchmarks/ccb_security/sec-transitive-002/tests/ground_truth.json‎
Lines changed: 134 additions & 0 deletions b/‎benchmarks/ccb_security/sec-transitive-002/tests/ground_truth.json‎
Lines changed: 134 additions & 0 deletions
@@ -0,0 +1,51 @@
+FROM golang:1.20-bookworm
+
+# Install dependencies for verifier (jq and bc for weighted checklist scoring)
+RUN apt-get update && apt-get install -y jq bc git && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone grpcurl at v1.8.7 (the consuming project)
+# Commit: 25c896aa59ffc36f7d12cf5d6c18e9c8f4421bfa
+RUN git clone https://github.com/fullstorydev/grpcurl.git grpcurl && \
+    cd grpcurl && \
+    git checkout 25c896aa59ffc36f7d12cf5d6c18e9c8f4421bfa && \
+    git log -1 --format="%H %s" | head -1 | grep -q "25c896a"
+
+# Clone grpc-go at v1.56.2 (the intermediate dependency)
+# This version uses golang.org/x/net v0.14.0 (vulnerable to CVE-2023-39325)
+RUN git clone https://github.com/grpc/grpc-go.git grpc-go && \
+    cd grpc-go && \
+    git checkout v1.56.2 && \
+    git log -1 --format="%H %s" | head -1 | grep -q "v1.56.2"
+
+# Clone golang.org/x/net at v0.14.0 (VULNERABLE version)
+# This version is before v0.17.0 which fixed CVE-2023-39325
+RUN git clone https://go.googlesource.com/net && \
+    cd net && \
+    git checkout v0.14.0 && \
+    git describe --tags | grep -q "v0.14.0"
+
+# Verify the vulnerability exists in x/net v0.14.0
+# CVE-2023-39325 was fixed in v0.17.0 with addition of scheduleHandler() and handler throttling
+# In v0.14.0, processHeaders() directly spawns handlers without limit enforcement
+RUN cd net && \
+    grep -q "func (sc \*serverConn) processHeaders" http2/server.go && \
+    ! grep -q "scheduleHandler" http2/server.go && \
+    echo "Confirmed: x/net v0.14.0 is VULNERABLE to CVE-2023-39325 (no scheduleHandler throttling)"
+
+# Create logs directory for agent output
+RUN mkdir -p /logs/agent
+
+# Display dependency information
+RUN echo "===== Repository Versions =====" && \
+    echo "grpcurl: v1.8.7 (25c896a)" && \
+    cd grpcurl && git log -1 --oneline && \
+    echo "" && \
+    echo "grpc-go: v1.56.2" && \
+    cd /workspace/grpc-go && git log -1 --oneline && \
+    echo "" && \
+    echo "golang.org/x/net: v0.14.0 (VULNERABLE)" && \
+    cd /workspace/net && git log -1 --oneline
+
+WORKDIR /workspace
@@ -0,0 +1,135 @@
+# Security Triage: Transitive Dependency Vulnerability Assessment
+
+## Objective
+
+You are a security analyst reviewing a potential vulnerability in a Go project. Your task is to determine if the project is affected by a vulnerability in a transitive dependency and document the complete import chain.
+
+## Context
+
+**Project**: `fullstorydev/grpcurl` (v1.8.7) - A command-line tool for interacting with gRPC servers (like cURL, but for gRPC)
+
+**Vulnerability**: CVE-2023-39325 in `golang.org/x/net/http2`
+
+**CVE Summary**:
+- **Severity**: High (CVSS 7.5)
+- **Type**: Denial of Service via HTTP/2 Rapid Reset
+- **Package**: `golang.org/x/net/http2`
+- **Affected versions**: < v0.17.0
+- **Fixed in**: v0.17.0 (October 2023)
+- **Description**: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by `http2.Server.MaxConcurrentStreams`, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. This vulnerability specifically affects HTTP/2 **server** implementations that use `golang.org/x/net/http2.Server.ServeConn`.
+
+## The Dependency Chain
+
+The `fullstorydev/grpcurl` project has the following dependency structure:
+
+```
+fullstorydev/grpcurl v1.8.7
+  └── google.golang.org/grpc v1.56.2
+        └── golang.org/x/net v0.14.0 (August 2023, VULNERABLE)
+```
+
+## Vulnerability Scope
+
+**Vulnerable Symbol**: `golang.org/x/net/http2.Server.ServeConn`
+
+**Important Context**: CVE-2023-39325 affects HTTP/2 **SERVER** implementations. It does **NOT** affect HTTP/2 **clients**. The vulnerability is triggered when a malicious client connects to an HTTP/2 server and sends rapid RST_STREAM frames.
+
+## Repositories Available
+
+You have access to three Git repositories in `/workspace`:
+
+1. **grpcurl/** - The consuming project (`github.com/fullstorydev/grpcurl` at v1.8.7)
+2. **grpc-go/** - The intermediate dependency (`google.golang.org/grpc` at v1.56.2)
+3. **net/** - The vulnerable library (`golang.org/x/net` at v0.14.0, VULNERABLE version)
+
+## Your Task
+
+Analyze the code and provide a security triage report answering these questions:
+
+1. **Is grpcurl affected by CVE-2023-39325?**
+   - Does grpcurl use `google.golang.org/grpc`?
+   - Does `grpc-go` use `golang.org/x/net/http2`?
+   - Does grpcurl actually call the vulnerable code path (`http2.Server.ServeConn`)?
+   - Or does it only use HTTP/2 **client** functionality?
+
+2. **What is the complete import chain?**
+   - Trace the dependency from grpcurl → grpc-go → golang.org/x/net
+   - Identify the specific files and functions in grpcurl that use gRPC
+   - Identify how grpc-go uses `golang.org/x/net/http2`
+   - Determine if grpc-go uses `http2.Server` (server) or `http2.Transport` (client)
+
+3. **What is the actual usage pattern?**
+   - Is grpcurl a **client** tool or a **server**?
+   - Does grpcurl run an HTTP/2 server, or does it only make HTTP/2 client requests?
+   - Are there any server-side HTTP/2 code paths in grpcurl or grpc-go that would expose the vulnerability?
+
+4. **Assessment**
+   - Is the project affected? (YES/NO)
+   - What is the risk level? (CRITICAL/HIGH/MEDIUM/LOW/NONE)
+   - Why is it affected or not affected?
+
+## Output Format
+
+Write your analysis to `/logs/agent/triage.md` with the following sections:
+
+```markdown
+# CVE-2023-39325 Transitive Dependency Analysis
+
+## Summary
+[Brief summary: Is grpcurl affected? What's the verdict?]
+
+## Dependency Chain Analysis
+
+### Direct Dependency: grpcurl → grpc-go
+[Evidence from grpcurl's go.mod and code that imports/uses grpc-go]
+
+### Transitive Dependency: grpc-go → golang.org/x/net
+[Evidence from grpc-go's go.mod and code that uses golang.org/x/net/http2]
+
+### Vulnerable Code Usage Analysis
+[Evidence of whether http2.Server.ServeConn or http2.Transport (client) is used]
+
+## Code Path Trace
+
+### Entry Point in grpcurl
+[File and function in grpcurl that makes gRPC calls]
+
+### gRPC Client in grpc-go
+[How grpc-go implements gRPC client calls using HTTP/2]
+
+### HTTP/2 Transport in golang.org/x/net
+[Which HTTP/2 components are actually used: Server or Transport (client)?]
+
+## Server vs Client Analysis
+
+**grpcurl Purpose**: [Is it a client tool or server tool?]
+
+**HTTP/2 Server Usage**: [Does grpcurl or grpc-go run an HTTP/2 server?]
+
+**HTTP/2 Client Usage**: [Does grpcurl use HTTP/2 client to connect to gRPC servers?]
+
+**Vulnerable Function Path**: [Is http2.Server.ServeConn called anywhere in the stack?]
+
+## Impact Assessment
+
+**Affected**: [YES/NO]
+
+**Risk Level**: [CRITICAL/HIGH/MEDIUM/LOW/NONE]
+
+**Rationale**: [Explain why the project is or is not affected based on client vs server usage]
+
+**Exploitability**: [Can an attacker trigger CVE-2023-39325 against grpcurl?]
+
+## Remediation
+
+[Recommended actions: upgrade, accept risk, or no action needed]
+```
+
+## Important Notes
+
+- This is an **analysis-only** task. Do NOT modify any code.
+- Provide specific file paths, line numbers, and code snippets as evidence.
+- The vulnerability is in a **transitive** dependency (grpcurl → grpc-go → x/net).
+- Pay close attention to **client vs server** distinction: CVE-2023-39325 only affects **servers**.
+- grpcurl is a **command-line tool** - think about what that means for server vs client usage.
+- A project can have a vulnerable library in its dependency tree but still be NOT affected if it doesn't use the vulnerable code path.
@@ -0,0 +1,19 @@
+[task]
+id = "sec-transitive-002"
+description = "Transitive dependency vulnerability analysis: grpcurl with CVE-2023-39325 (NOT affected)"
+category = "transitive_dependency"
+language = "go"
+time_limit_sec = 1200
+
+[metadata]
+difficulty = "hard"
+tags = ["security", "cve", "dependency-analysis", "http2", "client-only", "false-positive"]
+
+[environment]
+# Build from Dockerfile in environment/ subdirectory
+type = "dockerfile"
+path = "environment"
+
+[outputs]
+# Agent writes triage report to /logs/agent/triage.md
+required = ["/logs/agent/triage.md"]
@@ -0,0 +1,13 @@
+# Expected Patches
+
+This is an **analysis-only** task. The agent should NOT modify any code.
+
+The expected output is a security triage report at `/logs/agent/triage.md` that correctly identifies that grpcurl is **NOT affected** by CVE-2023-39325 despite having a vulnerable version of golang.org/x/net in its dependency tree.
+
+## Why NOT Affected?
+
+CVE-2023-39325 affects HTTP/2 **servers** (specifically `golang.org/x/net/http2.Server.ServeConn`).
+
+grpcurl is a **client-only** tool that uses HTTP/2 **Transport** (client-side) to make gRPC calls to remote servers. It never runs an HTTP/2 server, so the vulnerable code path is never executed.
+
+This is a common false positive scenario in dependency scanning tools.
@@ -0,0 +1,134 @@
+{
+  "required_findings": [
+    {
+      "id": "finding_1",
+      "description": "Correctly identify that grpcurl is a CLIENT tool, not a server",
+      "patterns": ["grpcurl.*client", "command-line tool", "client.*grpc", "not.*server"],
+      "weight": 0.15
+    },
+    {
+      "id": "finding_2",
+      "description": "Identify that CVE-2023-39325 affects HTTP/2 SERVER only (http2.Server.ServeConn)",
+      "patterns": ["server.*only", "http2\\.Server", "ServeConn", "server-side", "server.*vulnerable"],
+      "weight": 0.15
+    },
+    {
+      "id": "finding_3",
+      "description": "Identify that grpc-go uses HTTP/2 TRANSPORT (client) not SERVER",
+      "patterns": ["http2\\.Transport", "client.*transport", "dial", "NewClient", "clientconn"],
+      "weight": 0.15
+    },
+    {
+      "id": "finding_4",
+      "description": "Confirm the dependency chain: grpcurl → grpc-go → golang.org/x/net",
+      "patterns": ["grpcurl.*grpc-go", "grpc.*x/net", "google\\.golang\\.org/grpc", "golang\\.org/x/net"],
+      "weight": 0.10
+    },
+    {
+      "id": "finding_5",
+      "description": "Correctly assess as NOT AFFECTED despite having vulnerable library",
+      "patterns": ["not.*affected", "NOT AFFECTED", "not vulnerable", "false positive", "not exploitable"],
+      "weight": 0.20
+    },
+    {
+      "id": "finding_6",
+      "description": "Explain that the vulnerable code path (http2.Server) is never called",
+      "patterns": ["never.*server", "doesn't.*use.*Server", "only.*client", "no.*server.*code", "client.*only"],
+      "weight": 0.15
+    },
+    {
+      "id": "finding_7",
+      "description": "Risk level assessment: LOW or NONE (not CRITICAL/HIGH)",
+      "patterns": ["risk.*low", "risk.*none", "risk.*minimal", "no.*risk"],
+      "weight": 0.10
+    }
+  ],
+  "file_references": [
+    {
+      "id": "file_ref_1",
+      "description": "Reference to grpcurl main.go or invoke.go (the entry point that makes gRPC calls)",
+      "patterns": ["grpcurl.*main\\.go", "grpcurl.*invoke\\.go", "cmd/grpcurl"],
+      "weight": 0.30
+    },
+    {
+      "id": "file_ref_2",
+      "description": "Reference to grpc-go clientconn.go or transport (HTTP/2 client usage)",
+      "patterns": ["grpc.*clientconn", "grpc.*transport", "internal/transport", "grpc.*dial"],
+      "weight": 0.35
+    },
+    {
+      "id": "file_ref_3",
+      "description": "Reference to golang.org/x/net/http2 (Transport or client-side components)",
+      "patterns": ["x/net/http2", "net/http2.*transport", "http2.*client"],
+      "weight": 0.35
+    }
+  ],
+  "causal_chain": [
+    {
+      "id": "chain_1",
+      "description": "Entry point: grpcurl CLI invokes gRPC client calls",
+      "patterns": ["grpcurl.*invoke", "main.*grpc", "InvokeRPC", "grpcurl.*dial"],
+      "weight": 0.15
+    },
+    {
+      "id": "chain_2",
+      "description": "grpc-go creates client connection (Dial/DialContext)",
+      "patterns": ["grpc\\.Dial", "grpc\\.DialContext", "NewClient.*Conn", "clientconn"],
+      "weight": 0.20
+    },
+    {
+      "id": "chain_3",
+      "description": "grpc-go uses HTTP/2 Transport for client-side HTTP/2",
+      "patterns": ["http2\\.Transport", "newHTTP2Client", "http2Client\\.Do", "transport.*dial"],
+      "weight": 0.25
+    },
+    {
+      "id": "chain_4",
+      "description": "golang.org/x/net/http2.Transport is used (CLIENT side)",
+      "patterns": ["http2\\.Transport", "Transport\\.RoundTrip", "ConfigureTransport", "client.*http2"],
+      "weight": 0.20
+    },
+    {
+      "id": "chain_5",
+      "description": "Confirm that http2.Server.ServeConn is NEVER called (server-side code path not used)",
+      "patterns": ["no.*ServeConn", "never.*Server", "not.*server.*code", "client.*only", "no.*server.*path"],
+      "weight": 0.20
+    }
+  ],
+  "negative_checks": [
+    {
+      "id": "negative_1",
+      "description": "Must NOT claim grpcurl is affected or vulnerable",
+      "patterns": ["grpcurl.*affected", "grpcurl.*vulnerable", "grpcurl.*exploitable", "affected.*yes"],
+      "must_be_absent": true,
+      "weight": 0.30
+    },
+    {
+      "id": "negative_2",
+      "description": "Must NOT claim the vulnerability is CRITICAL or HIGH risk for grpcurl",
+      "patterns": ["risk.*critical", "risk.*high", "severity.*critical", "severity.*high"],
+      "must_be_absent": true,
+      "weight": 0.25
+    },
+    {
+      "id": "negative_3",
+      "description": "Must NOT recommend urgent patching (since project is not affected)",
+      "patterns": ["immediately.*upgrade", "urgent.*patch", "critical.*update", "must.*upgrade"],
+      "must_be_absent": true,
+      "weight": 0.20
+    },
+    {
+      "id": "negative_4",
+      "description": "Must NOT confuse client and server (e.g., claiming grpcurl runs an HTTP/2 server)",
+      "patterns": ["grpcurl.*server", "grpcurl.*ServeConn", "grpcurl.*listens", "grpcurl.*accepts.*connections"],
+      "must_be_absent": true,
+      "weight": 0.25
+    }
+  ],
+  "weights": {
+    "required_findings": 0.40,
+    "file_references": 0.20,
+    "causal_chain": 0.25,
+    "negative_checks": 0.15
+  }
+}